The electric utility industry is currently undergoing the greatest period of transformation in its history. Utilities are facing new challenges, and these challenges present opportunities for them to reevaluate business processes that have remained unchanged for decades. This blog series delves into six of what we consider to be the most impactful challenges, dissects them, and hypothesizes how they will shape the future of the utility industry. This blog post explores how security requirements have evolved in recent decades and how utilities can proactively approach cybersecurity.
In early 2000, Vitek Boden, a disgruntled ex-employee of a vendor for the Maroochy Shire Council in Australia, decided to settle scores. Using his knowledge as a former insider, he managed to hack into the Maroochy Water Services SCADA system and disrupt various sewage pump stations, releasing more than one million liters of sewage into local waterways and parks. Boden’s actions caused significant environmental damage and created the potential for mass disease and illness. This incident has led to a security overhaul in the utilities industry across the globe.
From protection against large scale epidemics as described above to protections against blackouts caused by a hostile nation or entity, cybersecurity is a top priority in the utilities community today. To understand the challenges of cybersecurity, let’s take a stroll back in time. In the 1950s after the mass electrification of the United States, supplying electricity reliably across the length and breadth of the nation was of primary importance. Digitization was still years away, and smart grids more distant still. Security measures were developed primarily to protect against physical intrusion to sensitive installations like substations. Protection against rogue agents gaining entry to sensitive installations became more important as the U.S. began to harness nuclear power for energy in the ‘60s and ‘70s. This was primarily achieved through thorough background checks of all utility personnel, adherence to guidelines set by organizations such as Occupational Safety and Health Administration (OSHA), and others. The personal computer revolution of the late ‘70s and early ‘80s brought with it specific challenges related to digitization and safety.
With the rise of the internet and large-scale digitization and interconnectedness in the ‘90s, cybersecurity started to become a major concern. Hackers don’t need physical presence to wreak havoc on both consumer and corporate networks. A misplaced click on an innocent-looking link could take out an entire corporate communications network for days, costing millions of dollars in losses to a corporation. Utility companies, too, must now face these challenges, as the rollout of the smart grid has brought with it hitherto unknown levels of interconnectedness between the utility, the grid, and everyday customers. As the Vitek Boden incident suggests, not only does physical access to the premises need monitoring, online access to critical and sensitive systems must be monitored as well.
So how does a utility protect itself from being “Bodened?” While new threats will continue to emerge, the answer lies in adoption of two major strategies. The first strategy is spreading awareness about security threats through education and adopting a security-conscious culture throughout the organization. The second is adopting institutional standards and enforcing those standards by only interacting with vendors who adhere to them.
Let us first talk about spreading awareness through education. Password manager Keeper compiled a list of the most commonly used passwords from the 25 million passwords leaked during data breaches in 2016. Among the top five were ‘123456,’ ‘123456789,’ ‘qwerty,’ ‘12345678,’ and ‘111111.’ In another example of breached security, an executive, disregarding his firm’s IT policy, decided to use his own router at base factory settings in the office only to realize that his emails were hacked and were being sent to a server in China. Examples such as these display a general lack of awareness about security. Through education and IT policies, corporations are moving toward a more security-focused culture. Disallowing personal external drives from being inserted into work computers, restricting access to certain websites and requests via firewall, and only allowing installations of software and hardware by recognized IT personnel are some of the changes that organizations are implementing to make themselves less vulnerable to external attack.
While education and awareness can revolutionize the security apparatus of a utility, there are institutional changes that must be made to bolster security as well. These institutional changes are determined based on standards such as the critical infrastructure protection (CIP) standard by North American Electric Reliability Corporation (NERC). These cybersecurity standards are mandatory for compliance and help the utility industry in general to become more secure. For example, after the Boden attack, CIP standards were updated to ensure direct radio communication with SCADA is not permitted. From that point forward, communication standards such as MultiSpeak could be used to issue commands to a SCADA system to garner information about the system with proper security and a gatekeeper device. Older communication standards such as ICCP could no longer be used to communicate with SCADA systems. Vendor selection processes for member utilities also change to comply with these standards. This speeds up the adoption of security-related standards and reduces security risks to important and sensitive installations.
Evaluation of how well a utility is meeting its goals, both from a security education perspective and from an adoption of utility standards perspective, is achieved through yearly or quarterly security audits. Just like financial audits evaluate the financial health of a company, these security audits determine the health of the security infrastructure of a utility. These audits, performed by a third party, may identify loopholes that can be exploited by hackers to gain unlawful entry into sensitive systems. These also help instill a security-conscious mindset in solution architects, developers, and vendors, as the penalties of non-adherence to security standards may lead to costly changes to the solution, depleting the budget allocated to the projects they are running.
As the utility industry continues to break new ground and enter new levels of automation and digitization, security measures must continue to evolve to meet the ever-present threat of rogue entities attempting to disturb the United States’ energy and water supplies for their own nefarious purposes. A combination of both large scale institutional changes and security awareness at the individual level will be required to meet these security challenges. However, the efforts to combat security threats are worth the benefits reaped through grid modernization. With proactive solutions in place, utilities and the third-party vendors they select will be ever-ready to meet emerging security challenges.
About the Author
As a senior consultant for Red Clay Consulting, Ankit Malik works primarily in analysis of software functionality and client requirements, designing a complete solution, leading teams performing the configuration or custom development required to meet requirements, leading testing efforts including unit, string and migration testing, and delivery support. Ankit offers a strong background of C and C++ programming, as well as significant experience in XML, XPath and many other scripting languages. Ankit has worked with SOAP, AJAX, and is knowledgeable of web services. He is also experienced in Middleware architecture and technologies, including BPEL and Oracle SOA Suite, and has worked extensively with two-way device communications.